[问题描述]: policycoreutils软件包的selinux-autorelabel.service导致机器重启 [root@iZbp1cail4enurzjt4btbmZ ~]# systemctl start selinux-autorelabel.service Job for selinux-autorelabel.service canceled. [root@iZbp1cail4enurzjt4btbmZ ~]# Remote side unexpectedly closed network connection [环境信息]: 内核信息: [root@iZbp1cail4enurzjt4btbmZ ~]# uname -r 5.10.134-12.1.an23.x86_64 操作系统信息: [root@iZbp10c42cb8dvhjyxifgmZ ~]# cat /etc/os-release NAME="Anolis OS" VERSION="23" ID="anolis" VERSION_ID="23" PLATFORM_ID="platform:an23" PRETTY_NAME="Anolis OS 23" ANSI_COLOR="0;31" HOME_URL="https://openanolis.cn/" BUG_REPORT_URL="https://bugzilla.openanolis.cn/" 软件包信息: [root@iZbp1cail4enurzjt4btbmZ ~]# yum info policycoreutils Last metadata expiration check: 2:03:25 ago on Thu 30 Mar 2023 02:42:05 PM CST. Installed Packages Name : policycoreutils Version : 3.5 Release : 1.an23 Architecture : x86_64 Size : 713 k Source : policycoreutils-3.5-1.an23.src.rpm Repository : @System From repo : BaseOS-Test Summary : SELinux policy core utilities URL : https://github.com/SELinuxProject/selinux License : GPLv2 Description : Security-enhanced Linux is a feature of the Linux® kernel and a number : of utilities with enhanced security functionality designed to add : mandatory access controls to Linux. The Security-enhanced Linux : kernel contains new architectural components originally developed to : improve the security of the Flask operating system. These : architectural components provide general support for the enforcement : of many kinds of mandatory access control policies, including those : based on the concepts of Type Enforcement®, Role-based Access : Control, and Multi-level Security. : : policycoreutils contains the policy core utilities that are required : for basic operation of a SELinux system. These utilities include : load_policy to load policies, setfiles to label filesystems, newrole : to switch roles. [问题发生概率]:必现 [复现步骤]: yum install policycoreutils systemctl start selinux-autorelabel.service
这是policycoreutils升级后新增的服务导致的。 [root@test ~]# rpm -ql policycoreutils | grep service [root@test ~]# yum update -y policycoreutils Last metadata expiration check: 0:10:22 ago on Thu 30 Mar 2023 04:44:22 PM CST. Dependencies resolved. =============================================================================================================================== Package Architecture Version Repository Size =============================================================================================================================== Upgrading: libselinux x86_64 3.5-1.an23 BaseOS-Nightly 95 k libselinux-devel x86_64 3.5-1.an23 AppStream-Nightly 113 k libselinux-static x86_64 3.5-1.an23 AppStream-Nightly 107 k libselinux-utils x86_64 3.5-1.an23 BaseOS-Nightly 139 k libsemanage x86_64 3.5-1.an23 BaseOS-Nightly 134 k libsemanage-devel x86_64 3.5-1.an23 AppStream-Nightly 51 k libsemanage-static x86_64 3.5-1.an23 AppStream-Nightly 137 k libsepol x86_64 3.5-1.an23 BaseOS-Nightly 341 k libsepol-devel x86_64 3.5-1.an23 AppStream-Nightly 39 k libsepol-static x86_64 3.5-1.an23 AppStream-Nightly 406 k policycoreutils x86_64 3.5-1.an23 BaseOS-Nightly 209 k policycoreutils-dbus noarch 3.5-1.an23 AppStream-Nightly 13 k policycoreutils-devel x86_64 3.5-1.an23 AppStream-Nightly 143 k policycoreutils-gui noarch 3.5-1.an23 AppStream-Nightly 285 k policycoreutils-newrole x86_64 3.5-1.an23 BaseOS-Nightly 23 k policycoreutils-python-utils noarch 3.5-1.an23 AppStream-Nightly 68 k python3-libselinux x86_64 3.5-1.an23 BaseOS-Nightly 195 k python3-libsemanage x86_64 3.5-1.an23 AppStream-Nightly 83 k python3-policycoreutils noarch 3.5-1.an23 AppStream-Nightly 2.1 M Transaction Summary =============================================================================================================================== Upgrade 19 Packages Total download size: 4.6 M Downloading Packages: (1/19): libselinux-3.5-1.an23.x86_64.rpm 792 kB/s | 95 kB 00:00 (2/19): libselinux-utils-3.5-1.an23.x86_64.rpm 1.0 MB/s | 139 kB 00:00 (3/19): libsemanage-3.5-1.an23.x86_64.rpm 959 kB/s | 134 kB 00:00 (4/19): policycoreutils-newrole-3.5-1.an23.x86_64.rpm 509 kB/s | 23 kB 00:00 (5/19): libsepol-3.5-1.an23.x86_64.rpm 3.6 MB/s | 341 kB 00:00 (6/19): policycoreutils-3.5-1.an23.x86_64.rpm 1.8 MB/s | 209 kB 00:00 (7/19): python3-libselinux-3.5-1.an23.x86_64.rpm 2.2 MB/s | 195 kB 00:00 (8/19): libselinux-devel-3.5-1.an23.x86_64.rpm 1.5 MB/s | 113 kB 00:00 (9/19): libselinux-static-3.5-1.an23.x86_64.rpm 2.1 MB/s | 107 kB 00:00 (10/19): libsemanage-devel-3.5-1.an23.x86_64.rpm 765 kB/s | 51 kB 00:00 (11/19): libsepol-devel-3.5-1.an23.x86_64.rpm 757 kB/s | 39 kB 00:00 (12/19): libsemanage-static-3.5-1.an23.x86_64.rpm 1.4 MB/s | 137 kB 00:00 (13/19): policycoreutils-dbus-3.5-1.an23.noarch.rpm 304 kB/s | 13 kB 00:00 (14/19): libsepol-static-3.5-1.an23.x86_64.rpm 7.3 MB/s | 406 kB 00:00 (15/19): policycoreutils-python-utils-3.5-1.an23.noarch.rpm 1.2 MB/s | 68 kB 00:00 (16/19): policycoreutils-gui-3.5-1.an23.noarch.rpm 4.1 MB/s | 285 kB 00:00 (17/19): policycoreutils-devel-3.5-1.an23.x86_64.rpm 1.6 MB/s | 143 kB 00:00 (18/19): python3-libsemanage-3.5-1.an23.x86_64.rpm 1.6 MB/s | 83 kB 00:00 (19/19): python3-policycoreutils-3.5-1.an23.noarch.rpm 17 MB/s | 2.1 MB 00:00 ------------------------------------------------------------------------------------------------------------------------------- Total 7.9 MB/s | 4.6 MB 00:00 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Upgrading : libsepol-3.5-1.an23.x86_64 1/38 Upgrading : libselinux-3.5-1.an23.x86_64 2/38 Running scriptlet: libselinux-3.5-1.an23.x86_64 2/38 Upgrading : libsemanage-3.5-1.an23.x86_64 3/38 Upgrading : libsepol-devel-3.5-1.an23.x86_64 4/38 Upgrading : libselinux-devel-3.5-1.an23.x86_64 5/38 Upgrading : python3-libselinux-3.5-1.an23.x86_64 6/38 Upgrading : python3-libsemanage-3.5-1.an23.x86_64 7/38 Upgrading : libsemanage-devel-3.5-1.an23.x86_64 8/38 Upgrading : libselinux-utils-3.5-1.an23.x86_64 9/38 Upgrading : policycoreutils-3.5-1.an23.x86_64 10/38 Running scriptlet: policycoreutils-3.5-1.an23.x86_64 10/38 Upgrading : python3-policycoreutils-3.5-1.an23.noarch 11/38 Upgrading : policycoreutils-dbus-3.5-1.an23.noarch 12/38 Upgrading : policycoreutils-python-utils-3.5-1.an23.noarch 13/38 Upgrading : policycoreutils-devel-3.5-1.an23.x86_64 14/38 Upgrading : policycoreutils-gui-3.5-1.an23.noarch 15/38 Upgrading : policycoreutils-newrole-3.5-1.an23.x86_64 16/38 Upgrading : libsemanage-static-3.5-1.an23.x86_64 17/38 Upgrading : libselinux-static-3.5-1.an23.x86_64 18/38 Upgrading : libsepol-static-3.5-1.an23.x86_64 19/38 Cleanup : policycoreutils-gui-3.4-4.an23.noarch 20/38 Cleanup : policycoreutils-devel-3.4-4.an23.x86_64 21/38 Cleanup : policycoreutils-newrole-3.4-4.an23.x86_64 22/38 Cleanup : policycoreutils-python-utils-3.4-4.an23.noarch 23/38 Cleanup : policycoreutils-dbus-3.4-4.an23.noarch 24/38 Cleanup : python3-policycoreutils-3.4-4.an23.noarch 25/38 Cleanup : libsepol-static-3.4-3.an23.x86_64 26/38 Cleanup : libsemanage-static-3.4-3.an23.x86_64 27/38 Cleanup : libsemanage-devel-3.4-3.an23.x86_64 28/38 Cleanup : libselinux-static-3.4-3.an23.x86_64 29/38 Cleanup : policycoreutils-3.4-4.an23.x86_64 30/38 Cleanup : python3-libsemanage-3.4-3.an23.x86_64 31/38 Cleanup : libselinux-devel-3.4-3.an23.x86_64 32/38 Cleanup : libsemanage-3.4-3.an23.x86_64 33/38 Cleanup : libselinux-utils-3.4-3.an23.x86_64 34/38 Cleanup : python3-libselinux-3.4-3.an23.x86_64 35/38 Cleanup : libsepol-devel-3.4-3.an23.x86_64 36/38 Cleanup : libselinux-3.4-3.an23.x86_64 37/38 Cleanup : libsepol-3.4-3.an23.x86_64 38/38 Running scriptlet: libsepol-3.4-3.an23.x86_64 38/38 Verifying : libselinux-3.5-1.an23.x86_64 1/38 Verifying : libselinux-3.4-3.an23.x86_64 2/38 Verifying : libselinux-utils-3.5-1.an23.x86_64 3/38 Verifying : libselinux-utils-3.4-3.an23.x86_64 4/38 Verifying : libsemanage-3.5-1.an23.x86_64 5/38 Verifying : libsemanage-3.4-3.an23.x86_64 6/38 Verifying : libsepol-3.5-1.an23.x86_64 7/38 Verifying : libsepol-3.4-3.an23.x86_64 8/38 Verifying : policycoreutils-3.5-1.an23.x86_64 9/38 Verifying : policycoreutils-3.4-4.an23.x86_64 10/38 Verifying : policycoreutils-newrole-3.5-1.an23.x86_64 11/38 Verifying : policycoreutils-newrole-3.4-4.an23.x86_64 12/38 Verifying : python3-libselinux-3.5-1.an23.x86_64 13/38 Verifying : python3-libselinux-3.4-3.an23.x86_64 14/38 Verifying : libselinux-devel-3.5-1.an23.x86_64 15/38 Verifying : libselinux-devel-3.4-3.an23.x86_64 16/38 Verifying : libselinux-static-3.5-1.an23.x86_64 17/38 Verifying : libselinux-static-3.4-3.an23.x86_64 18/38 Verifying : libsemanage-devel-3.5-1.an23.x86_64 19/38 Verifying : libsemanage-devel-3.4-3.an23.x86_64 20/38 Verifying : libsemanage-static-3.5-1.an23.x86_64 21/38 Verifying : libsemanage-static-3.4-3.an23.x86_64 22/38 Verifying : libsepol-devel-3.5-1.an23.x86_64 23/38 Verifying : libsepol-devel-3.4-3.an23.x86_64 24/38 Verifying : libsepol-static-3.5-1.an23.x86_64 25/38 Verifying : libsepol-static-3.4-3.an23.x86_64 26/38 Verifying : policycoreutils-dbus-3.5-1.an23.noarch 27/38 Verifying : policycoreutils-dbus-3.4-4.an23.noarch 28/38 Verifying : policycoreutils-devel-3.5-1.an23.x86_64 29/38 Verifying : policycoreutils-devel-3.4-4.an23.x86_64 30/38 Verifying : policycoreutils-gui-3.5-1.an23.noarch 31/38 Verifying : policycoreutils-gui-3.4-4.an23.noarch 32/38 Verifying : policycoreutils-python-utils-3.5-1.an23.noarch 33/38 Verifying : policycoreutils-python-utils-3.4-4.an23.noarch 34/38 Verifying : python3-libsemanage-3.5-1.an23.x86_64 35/38 Verifying : python3-libsemanage-3.4-3.an23.x86_64 36/38 Verifying : python3-policycoreutils-3.5-1.an23.noarch 37/38 Verifying : python3-policycoreutils-3.4-4.an23.noarch 38/38 Upgraded: libselinux-3.5-1.an23.x86_64 libselinux-devel-3.5-1.an23.x86_64 libselinux-static-3.5-1.an23.x86_64 libselinux-utils-3.5-1.an23.x86_64 libsemanage-3.5-1.an23.x86_64 libsemanage-devel-3.5-1.an23.x86_64 libsemanage-static-3.5-1.an23.x86_64 libsepol-3.5-1.an23.x86_64 libsepol-devel-3.5-1.an23.x86_64 libsepol-static-3.5-1.an23.x86_64 policycoreutils-3.5-1.an23.x86_64 policycoreutils-dbus-3.5-1.an23.noarch policycoreutils-devel-3.5-1.an23.x86_64 policycoreutils-gui-3.5-1.an23.noarch policycoreutils-newrole-3.5-1.an23.x86_64 policycoreutils-python-utils-3.5-1.an23.noarch python3-libselinux-3.5-1.an23.x86_64 python3-libsemanage-3.5-1.an23.x86_64 python3-policycoreutils-3.5-1.an23.noarch Complete! [root@test ~]# rpm -ql policycoreutils | grep service /usr/lib/systemd/system/selinux-autorelabel-mark.service /usr/lib/systemd/system/selinux-autorelabel.service [root@test ~]#
查看服务内容: # cat /usr/lib/systemd/system/selinux-autorelabel.service [Unit] Description=Relabel all filesystems DefaultDependencies=no Conflicts=shutdown.target After=sysinit.target Before=shutdown.target ConditionSecurity=selinux [Service] ExecStart=/usr/libexec/selinux/selinux-autorelabel Type=oneshot TimeoutSec=0 RemainAfterExit=yes StandardOutput=journal+console 服务启动时执行的是/usr/libexec/selinux/selinux-autorelabel 该命令执行过程中会调用systemctl reboot重启系统。 这个服务的作用是relabel all filesystem。重启系统很正常。
by design